The decision by the 4th U.S. Circuit Court of Appeals means Betty Ostergren avoids being sued by the state’s top law enforcement official for breaching a state law that prohibits publication of such information.

The Richmond, Virginia, court, however, stopped short of striking down the law, which was adopted in 2008 and carries civil penalties of about $3,500 per violation.

Instead, a three-judge panel said the regulation breached Ostergren’s First Amendment rights as they applied to her protected “political” speech. The court found that the purpose of Ostergren’s speech outweighed the privacy interests of the roughly three dozen public officials whose data was published on her website.

Ostergren published land records that contained Social Security numbers on her TheVirginiaWatchdog to protest the data being included in publicly available online local government documents.

The woman maintained that “seeing a document containing an SSN posted on my website makes a viewer understand instantly, at a gut level, why it is so important to prevent the government from making this information available.”

A three-judge panel of the appeals court agreed.

“We find particularly significant just how Ostergren communicates SSNs. She does not simply list them beside people’s names but rather provides copies of entire documents maintained by government officials,” the court said Monday. “Given her criticism about how public records are managed, (.pdf) we cannot see how drawing attention to the problem by displaying those very documents could be considered unprotected speech.”

Ostergren’s lobbying of the Virginia government to redact the Social Security numbers bore fruit. The state is in the process of redacting 2 million records.

The woman’s attorney, Rebecca Kim Glenberg of the American Civil Liberties Union, noted that the court was silent on whether a different set of circumstances, such as Ostergren publishing the Social Security numbers for nefarious reasons, would enjoy the same First Amendment protection.

“Because it was political speech, she had extra protection,” Glenberg said of the court’s decision.

A spokesman for Attorney General Kenneth T. Cuccinelli did not immediately respond for comment.

In May, a harsher Florida law imposing jail time for posting police officers’ home addresses or phones numbers was found to be an unconstitutional restraint on speech.

Photo: TheVirginiaWatchdog.com

See Also:

• RateMyCop User Ensnared in ‘Dumbest Case Ever’
• Judge Rules Post on Cop-Rating Site is Protected Speech
• Court: Cyberbullying Threats Are Not Protected Speech
• Yahoo Spouts First Amendment Doublespeak
• Judge Says Constitution Protects Right to Lie About Purple Heart
• Rulings Leave Online Student Speech Rights Unresolved

The brouhaha commenced in February, when a student of Lower Merion School District was called into an administrator’s office. Sophomore Blake Robbins was shown a picture of himself that officials suggested was him popping pills. The family claimed it was candy.

An invasion-of-privacy lawsuit followed, alleging the district had snapped thousands of pictures of its students using webcams affixed to the 2,300 Apple laptops the district issued. Some of the images included pictures of youths at home, in bed or even “partially dressed,” (.pdf) according to a filing in the case. Students’ online chats were also captured, as well as a record of the websites they visited.

The latest allegations (.pdf) Tuesday, brought by an 18-year-old former student who had just graduated from Lower Merion High, came to light in the discovery phase of Robbins’ suit.

Student Jalil Hasan reported his laptop lost December 18, and it was returned to him three days later, according to the suit.

But the LanRev Theft Track program, which the district activated when the computer was reported missing, was never turned off after the computer was given back to Hasan, according to the lawsuit.

The tracking software on Hasan’s computer wasn’t turned off until February 18, when Robbins filed suit, the suit alleges, claiming that at least 469 photographs and 543 screenshots were taken by Hasan’s computer without his knowledge.

Hasan’s suit said the images “were taken without Jalil’s knowledge, without his authorization and to his utter shock, dismay, panic, embarrassment and disgust.”

A federal judge presiding over the matter, who is weighing whether to allow a class-action lawsuit against the district, has blocked administrators from activating the LanRev program again. The district said the cameras were activated only when a laptop was reported stolen or missing — assertions lawyers suing the district dispute.

Two school district employees who controlled the LanRev activation process have been placed on paid, administrative leave.

The district declined comment. Federal prosecutors have also been given evidence generated from Robbins’ suit.

Photo: Magic Madzic

See Also:

• FBI Gets Evidence in Student Webcam Scandal
• School District Allegedly Snapped Thousands of Student Photos
• Students, Parents Allowed to View Webcam Scandal Photos
• School District Halts Webcam Surveillance
• Feds Say Judge Hampering Webcam Spy Probe

At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers. These “zombie” cookies came to light last year, after researchers at UC Berkeley documented deleted browser cookies returning to life. Quantcast quickly fixed the issue, calling it an unintended consequence of trying to measure web traffic accurately.

Flash cookies are used by many of the net’s top websites for a variety of purposes, from setting default volume levels on video players to assigning a unique ID to users that tracks them no matter what browser they use. (Disclosure: The last time we reported on this issue, we found that Wired.com used one to set video preferences.)

The lawsuit (.pdf), filed in U.S. district court in San FranciscoCentral California, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws. The lawsuit alleges a “pattern of covert online surveillance” and seeks status as a class action lawsuit. The lawsuit was filed by Joseph Malley, a privacy activist lawyer who also played key roles in other high profile privacy lawsuits, including a $9.5 million settlement earlier this year from Facebook over its ill-fated Beacon program and a settlement with Netflix after the company gave imperfectly anonymized data to contestants in a movie recommendation contest.

“The objective of this scheme was the online harvesting of consumers’ personal information for Defendants’ use in online marketing activities,” wrote Malley, who called the technique “as simple as it was deceptive and devious.”

Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not.

Adobe’s Flash software is installed on an estimated 98 percent of personal computers, and has been a key component in the explosion of online video, powering video players for sites such as YouTube and Hulu.

Websites can store up to 100 kilobytes of information in the plug-in, 25 times what a browser cookie can hold. Sites like Pandora.com also use Flash’s storage capability to pre-load portions of songs or videos to ensure smooth playback.

QuantCast was using the same user ID in its HTML and Flash cookies, and when a user got rid of the former, Quantcast would reach into the Flash storage bin, retrieve the user’s old number and reapply it so the customer’s browsing history around the net would not be cut off.

Quantcast’s behavior stopped last August, after Wired.com reported on the research from then-grad student Ashkan Soltani.

Quantcast is used by thousands of sites to measure the number of unique visitors and to get information on the kinds of people visiting their site — athletic, older, interested in food, etc.

The lawsuit seeks unspecified damages and a court order requiring the companies to delete data collected, stop the practice in the future and provide an easy way to opt out.

All modern browsers now include fine-grained controls to let users decide what cookies to accept and which to get rid of, but Flash cookies are handled differently. These are fixed through a web page on Adobe’s site, and the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it actually is the control for your computer, not just a tutorial on how to use the control.

Firefox users can prevent or delete Flash cookies using a free add-on called BetterPrivacy.

Scribd, Hulu, and ESPN both declined to comment, saying they had not yet been served with the lawsuit.

Quantcast and MTV’s parent company, Viacom, did not respond to requests for comment.

The case number is 10-CV-5484, U.S. District Court for the Northern District of California.

Photo:JGarber/Flickr

See Also:

• You Deleted Your Cookies? Think Again
• Flash Cookie Researchers Spark Quantcast Change
• Judge Approves $9.5 Million Facebook 'Beacon' Accord
• Facebook Denies 'All Wrongdoing' in 'Beacon' Data Breach
• Facebook Beacon Tracking Program Draws Privacy Lawsuit